Search

Subscribe

Secret Questions

Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised. For an attacker who can make more than 3 guesses and wants to break into 50% of available accounts, no distributions gave more than about 12 bits of effective security. The actual values vary in some interesting ways-South Korean names are much easier to guess than American ones, female first names are harder than male ones, pet names are slightly harder than human names, and names are getting harder to guess over time.

Comments

As I said to one of the researchers, as the designers of these systems are not going to replace them overnight (or possably at all) perhaps we should strengthen them by asking multiple questions to reduce the guess factor.

That is instead of just answering "first pets name" you have to answer three or four all correctly before the system says yes or no.

The most common answers will be 0 and 511 by far, anthing 1-10 will closely follow, then 11-100. Expect 69 to be rather high on that list, as well as 60-90 (year of birth, varies depending on age demographic).

Just like nearly every 4 digit pin ever picked has been between 1900 and 2000. People will always fine stupid ways to answer these questions. :)

@Andre LePlume: I know you're probably not being serious, but schemes like that have the disadvantage that users' answers will be biased towards lower numbers.

To give an (admittedly somewhat contrived) example, you couldn't get 128 bits of security by asking "what's your favorite non-negative integer smaller than 2^128", but even when you only go to 511, chances are you'd get, say, "10" more often than "437".

I always encrypt the answers in an unusual fashion, but I'm well aware that in most cases this is non-optimal "security overkill" when I look at the comparative probabilities that I actually need to recover a password vs. the probability that someone will actually bother to try to compromise my account.

@ Clive
"the designers of these systems are not going to replace them overnight"

I think you're even optimistic. For example, I've encountered at least one case where such a system _refused_ to let me give it an unusual answer.

It seems like sites that let you specify your own "secret questions" (OPM e-Qip comes to mind) are more effective than ones that enforce the usual selection of "mother's maiden name/first pet/favorite color"

I bet Facebook has made getting the answers to secret questions much easier.

My favorite 'secret question' moment was when a company asked me what month my mother was born in. The representative then listed 4 months for me to choose from. So my odds went from 1 in 12 to 1 in 4, better odds than rolling the dice.

I've never used the recover password feature. I always put random nonsensical letters, expecting never to recover the account in this fashion. Granted, this might mean I have to contact the service personally and give info to reset it, but it hasn't happened yet since my passwords are well kept and secure.
Anyone using this kind of thing should remember the Palin Yahoo incident

@Adam T: "I've never used the recover password feature. I always put random nonsensical letters, expecting never to recover the account in this fashion. "
____________

I'll recover it using this feature, but I put nonsense in it. For example, figuring out the maximum lenth and valid characters, and then using Password Safe or something similar to generate it. Using a tool now, on 10 text characters text only, I would imagine an attacker is unlikely to unlock my account with the secret "word": GqBxHIgLNg

What I hated about this when they first started was the case sensitivity of the question. you not Only had to remeMber the questions EXACTLY as you initially entered it you had to remember the case and any punctuation.

That's not using "easy to remember human natural language". It might as well be long strings of giberish that can be copied and pasted from password safe.

My favorite way to deal with password recovery questions is to give the wrong answers. For example, I know what city I was born in, but I always put a -different- city in the box when asked. Mother's maiden name? Made up. First pet's name? Use some obscure Russian town name.

@Clive Robinson
As I said to one of the researchers, as the designers of these systems are not going to replace them overnight (or possably at all) perhaps we should strengthen them by asking multiple questions to reduce the guess factor.

In many cases you "answer" dosn't have to be "correct" or even meaningful (to a human).

A computer probably isn't going to mind if you tell it that your mother's maiden name is "The Great Zodin", "James Blish" or even "Hg983dhdhfajjdeocn"

Can we gang up and try to guess who Shirley's mother's maiden name was? (and have a moderator nuke what looks, to me, like spam?)

I think it'd be an interesting exercise in human memory to try to design "secret questions" which allow far more bits of data by matching closer to how the brain works. I'm thinking something leveraging our ability to do shape recognition.

It'd also be interesting to have a bunch of photos and say "select which photos you uploaded." Prompt people to upload really odd things like a streetsign in their hometown.

@Joe: I laughed out loud (much to the confusion of the people around me) imagining what your phone call must have been like. Well played.

In general, I think this is another case of "you don't have to be faster than the bear, just faster than your friends". The answer to your secret question doesn't have to be impossible to guess, just hard enough that it's not worth trying.

As with everything else, an important question is what the secret questions protect. If it's the ability to reset the password, that's bad. If it's the ability to have a one-time password reset token sent to the e-mail address on record, that's not so bad.

So, for the e-mail account where these e-mails are sent, you need hard secret questions. For everyplace else, it's less important.

I just answer the security questions with nonsense at least as secure as the password. I store the answers in a KeePass database, & back it up regularly.
Example:
My eldest sibling's first name is TH-Q*&&u,3&CrL
My first employer was oD?dI{Q[d;
My eldest sibling's middle name is $Qu.jp~)eP~\k&PSh:Fz'p.
The city I'd most like to visit is 6%MTg9tTiWc{P4[K$G[!H\.
My father lives in dgf_(f,071jbyd\4[r!qQZ.

I used to type random nonsense for the answers because I don't want the password recoverable. Recently I got burned when the final confirmation step required the answers to my secret questions (which I hadn't saved). So now I save the random answers too.

'In many cases you "answer" dosn't have to be "correct" or even meaningful (to a human).'

Agh no, the last bit is wrong, for most people the answer has to be "meaningful" or it's not memorable.

And that's the point of these questions they are the last resort when time has taken all else away (including the writing on Bruce's "bit of paper in your wallet"). And for most humans that means they have to be "correct" as well...

My answers to those questions have never ever anything to do with the question - why should they? I should be able to recover my account or password, not any random person guessing the answer to the question asked...

@John Gordon: "Sometimes I look at the secret question madness and I despair of humanity. If smart people are this stupid, then what hope do we have?"
___________

On one hand, I agree. On the other hand, smart people have the impossible task of devising mechanisms that can be used by dumb people.

One of my more unpleasant tasks when I was in college was at work where I had to answer the phone for the receptionist during her lunch hour. Something worse than dealing with dumb people is dealing with dumb people who think they are smart, especially when they are argumentative and impatient.

@HJohn: It's worse than smart people devising mechanisms usable by dumb people. That can frequently be done.

It's the trying to devise mechanisms that can be used by dumb authorized people and not by smart unauthorized people that's difficult. Particularly when you can't get creative with the solution. Most people can handle physical keys, but we're limited to typed information passed back and forth.

Most of the time I just type "123456" into both answer fields because, the fact is, nobody is REALLY that interested in that forum login you made to post one comment.

Like many users here, I have a small pool of words and numbers learned over time that I can pull from and reuse for these things. Most have meaning and some don't. A very common one to use is a library card number. It's easily accessible, but watch out, this one can actually change if your card is replaced. Likewise for your IMEI phone serial (dial *#06# on your phone). My favorites are student ID numbers.

Some particularly clever/proper implementations will use your frequent flier number, which is less likely to change but often not on hand. I would not use something random or something you could lose. The problem of not being able to regain access is an equally common, potentially worse issue, but that's probably a topic for another article.

If you're looking for something easy and strong, I use SHA1 to generate my answers. There's nothing to backup, write down or save, and the algorithm is easily accessible from any Unix machine and won't be lost. Just use >sha1 or >openssl dgst, type an optional secret that's easy to remember (e.g. "BabyOneMoreTime"), space, the 2nd-level TLD as a site-specific salt ("schneier.com"). To generate two answers add an index such as " 0" or " 1". Truncate to taste.

Sites and applications that let you specify the "question" make it especially easy, e.g.:
Q: "right(16,sha1(secret," schneier.com 0"))"
A: e44d6b4cb8dcbf54

This is only for credentials that might be important.

In the case of online-banking however and their very notorious, one-factor-times-two-authentication: I will almost always put some easy to remember or some generic answer because I hate trying to 1) remember what it is, 2) type it in, 3) check it's right, and 4) hope I don't get locked out because you only get three tries... every time I clean my cookies, disable the flash storage or use a public terminal.

So finally,
My Mother's Maiden Name is "abcdef"
My City of Birth is "abcdef"
The first street I lived on is "abcdef"

And Bank of America can take their ridiculous weekly "We don't recognize this computer" Site Key prompts and shove it up their PCI :P.

@David: "It's worse than smart people devising mechanisms usable by dumb people. That can frequently be done.

It's the trying to devise mechanisms that can be used by dumb authorized people and not by smart unauthorized people that's difficult."
_________________

True. I also probably should have said "effective and secure mechanisms." Any smart person can make something a dumb person can use, the challenge is making something a dumb person can use that is effective and secure.

The average user is supposed to use different complex passwords. Put in fake answers for a recovery password scheme. Use a password management system (how many are going to do that?) which can get exposed when malware comes on from sites they visit get pwned. Make off site back-ups.

Yeah, the computer world has certainly made things easier to manage. There has got to be an easy way (and it has to be cheap) to use secondary mechanisms for authorization/authentication (oh wait, that might allow for tracking which would lead to privacy issues).

@AppSec: Yes, the computer world has made things easier. One thing that's easier is breaking into things. In order to get into my house, a burglar needs to physically come to my specific house and physically implement a way to enter. In order to get into my computer, a guy sitting in Romania can kick off a script that affects a few thousand or million computers in addition to mine.

Ideally, it would be possible to have an on-line identifier, a bit like OpenID, so it would be necessary to secure only one account. Of course, it's at this point that the dancing kitty malware installs a keyboard logger, and steals all the victim's authentication wholesale, unless there's a hardware gizmo or something the user has.

I'm not completely convinced it's a "no-win" situation, but I don't have any good ideas to the contrary.

Good post. I might also add that the physical burglary example does not have the cascading effect that technology introduces. By that, I meant that if someone breaks into your house, they can't use that effectively to attack your neighbors and friends. When a computer is compromised, they can use the trust afforded the victim (as well as added processing power, etc.) to attack friends and neighbors.

Technology also makes impersonation easier. Someone can pose as a trusted friend, a child, a hottie looking to get busy, when their actual persona and motives are a bit more dubious.

"Todays game - PLACE OF BIRTH! Everyone please play! You will find it interesting to know where your FB friends birth places are. Copy & paste this on your profile, then put your place of birth at the end of this sentence... Newport, Rhode Island :)"

Run enough games like these and you can get whatever information you want.

This type of attack has been used to social engineer users for a long time. Back when Yahoo! used Zip/Postal Code and Date of Birth as part of password reset, it was widely known that these could be obtained from their public (even Yahoo!) profile. Didn't Paris Hilton get hacked this way?

As for getting whatever information you want. I need to post this...

"Todays game - SOCIAL SECURITY NUMBER! Everyone please play! You will find it interesting to know what your MySpace friends SSN/ITIN is even or odd. Or maybe even a Mersenne prime. Copy & paste this on your profile, then put your SSN, SIN or equivalent at the end of this sentence... 141-59-2653 :)"

"In order to get into my house, a burglar needs to physically come to my specific house and physically implement a way to enter. In order to get into my computer, a guy sitting in Romania can kick off a script that affects a few thousand or million computers in addition to mine."

That is the problem I've been going on about for a while.

"Tangable -v- Intangable worlds"

As we live mainly in the tangable world that is generaly how we think about things, as physical objects with mass/energy constrained by distance metrics and forces.

Computers deal with information that is an artifact of an intangable world, information has no mass/energy and is uneffected by time and thus not constrained by distance and forces (which is why we only have entropy as a measure for it...).

The only time information has physical form is when we have it as knowledge which we store or communicate. And the reality is that the mass/energy involved per bit of knowledge is well neigh meaningless in human terms and is only meaningfully constrained by bandwidth and the speed of light.

When it comes to security we have real issues with tangable -v- intangable as our perception is mainly of a tangable world, and thus we have fundermental but hidden assumptions based around the tangable.

These fundemental hidden assumptions cause real problems. Usually because we try to take a physicaly constrained metric and try to use it on intangable information and it does not work.

You raised two of three hidden security assumptions, "locality" and "force multiplication".

You did not mention the third "undetectable duplication" by which I can steal from you by copying your information. And you will well remain blissfully unaware of untill I chose to use the copy in an obvious way.

Thus if I steal your password to your email account unless "auditing" is made available to you in a secure way or via another channel you will be unaware I have read your private communications.

This ability to make an undetectable copy of information makes Man
In The Middle and relay attacks possible which brings me to your point,

A "hardware gizmo" will no stop relay attacks unless all the information is protected by it at all points at all times. Which although not impossible is very hard as you are using information to protect information...

Which is why you are correct to say,

'I'm not completely convinced it's a "no-win" situation, but I don't have any good ideas to the contrary."

I've had one or two but hidden assumptions always end up bitting you in th 455.

One way I originaly thought of doing it was with "capatchers" say the web site sent a random array of capatchers as buttons and you had to click on the correct sequence of letters or numbers.

The work involved with logging etc to get the information is quite large as computers are not good at that type of "visual recognition". And thus I thought it would put a high work factor in for the malware writers than the legitimate user and thus change the security tipping point in the users favour.

I was both right and wrong... What I had not factored in was the availability of "dirt cheap humans". The Malware writers simply hired people in third world countries to do the "visual recognition" for them...

The lesson is no matter how smart you and others think you are, there is always going to be somebody who has a different perspective and ends up making you look dumb 8(

I remain convinced that the best security is simply not having anything of value to another person. This doesn't eliminate the problem because there are people out their who would like to see me die just for the hell of it. But it does make it much more manageable.

"The Secret Word is Groucho"http://tinyurl.com/yhyc2bv
Even Groucho would try to give it away in a conversation. How many of your secrets are given away in casual conversations, just for fun or by accident, just because they are on your mind all the time.

Supposedly this whole "secret question" thing got started by Bank Of America, who did it on their website, then pushed for it to be required for financial institutions, so as to hobble their competitors for a bit.

My credit union's online banking added it not too long ago. I have a business account (as well as personal accounts there), it's interesting to come up with answers like "who was my consultancy's prom date?"

Of course, like others in this thread, I use random stuff and a password safe. (This bit me in the butt when one place changed systems, and the new one didn't allow nonalphanumerics in the password or password-reset questions).

Treasury Direct does this more sanely; they issue you a physical card in the mail with a grid printed on it, then ask after you enter your password, "what's in A-3?"

@HJohn: . By that, I meant that if someone breaks into your house, they can't use that effectively to attack your neighbors and friends.

That depends on if those friends had spare keys for neighbors lying around the house. You know, for those times that you get locked out or go away for the weekend and want someone to pick up your mail, take out your dog, or whatever.

I agree with the premise of scalability, though.

@David:
I think part of the issue isn't just from a user side, it's from a site side. I'm still conflicted on the whole "certification" for a site/developer. Some of the smartest people I know don't have college degrees, and some of the crumiest contractors are licensed. But at some point you almost have to agree wit hteh whole prinicple of inspections and signoff when everything is so interconnected.

@AppSec: There's a paper at http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf about the economic value, to the user, of dealing with security issues. Basically, the author claims that the direct and indirect costs to the individual of security processes are frequently way in excess of direct and indirect costs of security breaches, particularly when ignoring economic externalities. (Caveat: I haven't finished reading the paper yet.)

@David: It's the trying to devise mechanisms that can be used by dumb authorized people and not by smart unauthorized people that's difficult.

----

That's the problem the US park service had once with anti-bear locks on trash bins.

They had to be simple enough that human beings could open them to throw out trash, yet complicated enough that bears couldn't open them to grab a snack. Apparently, there's significant overlap between the dumbest person and the smartest bear.

@David:
I'd like to see the same comparison done with home security and auto security. I know I spend a few minutes every nice day opening and closing my car door windows/sunroof. How about those that set thier home alarm and car alarm?

Both of those items, when they are stolen, are covered by home owners or auto insurance policies. There is no real direct cost to the customer -- it's an indirect cost of finding a new car and deal with the emotional aspect.

My guess is that customers don't feel the emotional connection as much to "virtual data" and simply don't find dealing with the complexity worthwhile. I doubt there's any real thought at all into the risk -- from an average user.

@AppSec: I've wondered about locking my car when at home. I never have anything valuable in it, and rather suspect that leaving it unlocked would have saved me one broken window. If it doesn't affect insurance claims it would seem to be a bad idea. The windows and sunroof I leave closed when parked, because I've left them open during a rainstorm before.

And, according to the paper I cited, it looks like the security risks are low enough that it may not be worth thinking about it. I have certain security practices for emotional reasons, because I'd feel deeply embarrassed if I got snared rather than because I'd feel out-of-pocket loss. Other people may not feel the same.

Like many other people I use wrong answers for the 'secret' security questions.

One thing I've not found out, is if there is collusion on the answers between financial institutions. In the UK, for example, 'mother's maiden name' is used as a security question across many financial institutions, and I believe a new institution that you have never dealt with personally before may well check your answer against data shared amongst financial institutions, thus flagging you up if the answer varies. Does anyone know the truth or otherwise of this? Note that the DPA may well not apply in this instance (for several reasons).

And some stupid mail service (yahoo) dont allow you to change your secret question! Surprised? try to do it.

Firstly, you will be searching for that form in mail options then. Then you would need to go to help section and search in there. After that you will get one link to a form. Now that form asks you to fill up lot of information including your last secret question and answer, your name and other stupid things. Then when you think its done and submit the form, wait for some days just to realize, that the form was just submitted to /dev/null device on the server.